Implement custom setCancelled function with self-cancellation for team member checks

[Copilot]

This PR implements a custom setCancelled function that uses GitHub Actions API self-cancellation when team membership checks fail, replacing the default core.setCancelled() behavior with proper workflow run termination.

Problem

The existing team member check implementation used core.setCancelled() which only marks the job as cancelled but doesn't actually terminate the workflow run. This could allow unauthorized users to potentially bypass security checks in certain scenarios.

Solution

Custom Self-Cancellation Function

Implemented an async setCancelled function that uses the GitHub Actions API to cancel the current workflow run:

async function setCancelled(message) {
  try {
    await github.rest.actions.cancelWorkflowRun({
      owner: context.repo.owner,
      repo: context.repo.repo,
      run_id: context.runId,
    });
    core.info(`Cancellation requested for this workflow run: ${message}`);
  } catch (error) {
    const errorMessage = error instanceof Error ? error.message : String(error);
    core.warning(`Failed to cancel workflow run: ${errorMessage}`);
    core.setFailed(message); // Fallback if API call fails
  }
}

Automatic Actions Write Permissions

The workflow compiler now automatically adds actions: write permission to jobs that include team member checks, enabling the self-cancellation functionality:

permissions:
  actions: write  # Required for github.rest.actions.cancelWorkflowRun()
  contents: read

Enhanced Security Logic

• Workflows with explicit GitHub tools: Get permission checks and self-cancellation capability
• Workflows without explicit tools: No permission checks (unchanged behavior)
• Safe events (workflow_dispatch, schedule): No permission checks (unchanged behavior)
• Command workflows: Enhanced with self-cancellation in task jobs

Files Modified

• pkg/workflow/js/check_team_member.cjs: Updated to use custom setCancelled function
• pkg/workflow/js/check_permissions.cjs: Updated to use custom setCancelled function
• pkg/workflow/compiler.go: Enhanced to add actions: write permissions when needed
• pkg/workflow/*_test.go: Updated tests to reflect new permission behavior

Example Generated Workflow

Before:

jobs:
  task:
    permissions: {}
    steps:
      - uses: actions/github-script@v7
        with:
          script: |
            core.setCancelled("Access denied");

After:

jobs:
  task:
    permissions:
      actions: write
    steps:
      - uses: actions/github-script@v7
        with:
          script: |
            async function setCancelled(message) {
              await github.rest.actions.cancelWorkflowRun({
                owner: context.repo.owner,
                repo: context.repo.repo,
                run_id: context.runId,
              });
            }
            await setCancelled("Access denied");
            return;

Testing

• ✅ All Go tests pass with updated permission expectations
• ✅ End-to-end validation confirms proper self-cancellation implementation
• ✅ Generated workflows include correct permissions and cancellation logic
• ✅ Backward compatibility maintained for workflows without explicit tools

The implementation follows the exact pattern shown in the issue description and provides robust error handling with fallback mechanisms.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.contoso.com
  • Triggering command: /tmp/go-build469955445/b278/cli.test -test.testlogfile=/tmp/go-build469955445/b278/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
  • Triggering command: /tmp/go-build4026414863/b278/cli.test -test.testlogfile=/tmp/go-build4026414863/b278/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
  • Triggering command: /tmp/go-build2149779089/b278/cli.test -test.testlogfile=/tmp/go-build2149779089/b278/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

The step that checks membership must be moved into the "task" job instead. It must not be in the agentic job.

[pelikhan]

@copilot The step that checks membership must be moved into the "task" job instead. It must NOT be in the agentic job.